Captive portal browser challenge issue

Karim.Benyelloul — Thu, 16 Apr 2020 18:35:19 GMT

Hi team,

While trying to deploy Kerberos SSO for enduser authentication I came up to the following issue with the captive portal (browser challenge).

When an end user logged in a windows (part of the domain) tries to connect to "http://neverssl.com" for example here is what's happens on the wire :

1/ The browser send a request to neverssl.com

2/ Pan redirect the browser to the captive portal with 302 to the location : http://palologin.kabe.lab:6080/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f
3/ The browser follows the redirect and gets this response from the palo :

HTTP/1.1 200 OK Date: Thu, 16 Apr 2020 15:29:51 GMT Content-Type: text/html Content-Length: 909 Connection: keep-alive Cache-Control: no-cache Set-Cookie: SESSID=f4MBAV6Yee96xCU+AwMFAg==; path=/ <HTML> <HEAD> <TITLE>Kerberos V5 Authentication Redirection</TITLE> <meta http-equiv="refresh" content="5; url=http://palologin.kabe.lab/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f&preauthid=&returnreq=yes&challengetimeout=yes"> </HEAD> <BODY> <script language="Javascript" type="text/javascript"> if(typeof(Storage) != "undefined") { var orig_url = ""; sessionStorage.setItem ("isoffline", 0); if(orig_url != "") sessionStorage.setItem("origurl", orig_url); } window.location = "http://palologin.kabe.lab/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f&preauthid=&returnreq=yes"; </script> <p><b>Kerberos V5 Authentication Redirection</b></p> <p>In case you see this page, <ol> <li>Your browser does not support both Kerberos and NTLM authentication. Waiting for refresh.</li> </ol> </p> </BODY> </HTML>

4/ The browser executes the javascript and sends a GET request to "http://palologin.kabe.lab/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f&preauthid=&returnreq=yes"

5/ The browser get no responses, and the authentication fails !

The problem is at step 4/ in which the paloalto should make the browser send the GET request to "http://palologin.kabe.lab:6080/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f&preauthid=&returnreq=yes" instead.

I used fiddler to change the browser request number 4 (and add the :6080) and the authentication worked just fine !

I tried to search for similar bug in the KB without success , am I the only one who is facing this issue ? or am I missing something in my config ?

I'm on version 91.2 and here is my config :

Re: Captive portal browser challenge issue

Karim.Benyelloul — Sun, 19 Apr 2020 19:24:02 GMT

Hi everyone, does anyone ever come across this issue ? Just want to make sure if I'm missing something in my config or no

Re: Captive portal browser challenge issue

Karim.Benyelloul — Thu, 23 Apr 2020 08:56:44 GMT

anyone ? 🙂

Re: Captive portal browser challenge issue

Jafar_Hussain — Sun, 05 Jul 2020 20:16:34 GMT

@Karim.Benyelloul

I am facing a kind of similar issue. i want to know what did you allow to fix this issue.

i am not able to open the browser but i can telnet my CP url.

Thanks in advance.

topic Re: Captive portal browser challenge issue in General Topics

Captive portal browser challenge issue

Re: Captive portal browser challenge issue

Re: Captive portal browser challenge issue

Re: Captive portal browser challenge issue